Please tell me if this code is vulnerable to SQL injection!

So I have some code used simply to check a DB for existing content and return an error if found. Here is the snippet in question:

$sql_w2 = "SELECT * FROM xf_user WHERE username='$username'";
$res_w2 = mysqli_query($db, $sql_w2); 	
$sql_e = "SELECT * FROM xf_user WHERE email='$email'";  	
$res_e = mysqli_query($db, $sql_e);

Is this vulnerable? Thanks!

NEVER EVER put variables in a query. Use Prepared Statements.

Do not SELECT *. Specify the columns you want by name

Do not use two query’s when you only need one.

If your “existing content” check is for an existing username and/or email, DONT. Set a unique constraint on the columns, attempt the insert and capture the duplicate error if any.


To emphasize benanmen’s point…

If I told your script my username was '; DELETE FROM xf_user WHERE 'i'='i
what would your query do?


Okay, point taken. I decided to simply stop using that code altogether as it was sloppy and superfluous. Thanks!

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.